A data breach has exposed sensitive documents related to vehicle seizures by the Irish National Police, potentially impacting thousands of vehicle owners.
A database containing over half a million records (500,000) hosting sensitive information associated with vehicle seizures by the Irish National Police, Garda Síochána was leaked online.
Cybersecurity researcher Jeremiah Fowler made the discovery and promptly alerted the authorities after finding the unsecured database, highlighting the potential risks to the affected individuals.
The breach involved a non-password-protected database, totalling 521,043 records, which included notices of automobile seizure, destruction notices, release documents, scanned identification documents, insurance investigation inquiries, certificates of vehicle registration, and other pertinent documentation relevant to the detention of vehicles.
Furthermore, the database contained spreadsheets and monthly reports containing extensive vehicle and registration information, names of vehicle owners, contractor details, and other potentially sensitive data, amounting to a substantial 271.8 gigabytes in size.
Under Irish law, when a vehicle is seized, the registered owner must present several documents, including identification, insurance documents, and receipts for taxes and recovery/storage charges.
Given that the database contained an average of 2 to 5 documents for each individual case, it is estimated that approximately 150,000 vehicle owners could be affected by this breach. Fowler’s findings align with the estimation that around 30,000 vehicles are detained each year, as reported in a 2020 article by the Irish Examiner. Notably, the records retrieved from the exposed database span multiple years, dating back to 2017.
According to Fowler’s blog post, at first, it was unclear who owned the database due to the numerous towing and storage companies mentioned in the documents. However, all documents referenced the Garda Síochána. Fowler promptly sent a responsible disclosure notice directly to the Garda, which resulted in the database being secured later that day.
Further investigation revealed that the database was owned by a private technology contractor based in Limerick, Ireland, rather than the Garda Síochána. The contractor quickly responded to the breach, cooperating with Fowler to confirm the security of the records and assess whether any unauthorized parties had accessed them.
While the exposed records are officially related to the Garda’s seizure and storage of vehicles, it’s essential to clarify that the Garda Síochána was not directly responsible for the misconfiguration of the cloud storage repository that led to the data breach.
According to Irish law, the Garda Síochána has the authority to seize and retain vehicles for various reasons, including ensuring road safety, enforcing the law, and complying with road traffic regulations. Seizing, towing, and storing these vehicles are typically outsourced to private towing companies authorized by the Garda.
Within the exposed database, numerous waivers of ownership documents were discovered, where citizens relinquish their vehicles to the police when they cannot pay the fines and storage fees or no longer wish to reclaim their property. Additionally, the breach exposed various Freedom of Information Act request documents that identified other expenses and budget details.
4th Data Security Incident Involving UK Police in 2023
In August of this year, the Police Service of Northern Ireland (PSNI) experienced a significant security breach, inadvertently disclosing the personal information of its entire workforce, encompassing officers and civilian staff.
On August 27, 2023, a data breach involving an IT contractor affected 47,000 members of the Metropolitan Police Force. This breach exposed the personal details of Met Police officers and staff, comprising names, photographs, ranks, vetting levels, and identification numbers.
In September 2023, a contractor data breach impacted 8,000 officers from the Greater Manchester Police. This breach involved the suspected theft of warrant card details from thousands of officers.
The Irish National Police, Garda Síochána, must now work closely with the private technology contractor responsible for the database to ensure that affected individuals receive proper notification and support in response to this significant data breach. It serves as a stark reminder of the importance of data security and the potential risks faced by individuals when their sensitive information is mishandled.
- UK Royal Family Website Hit by DDoS Attack from KillNet
- UK Power and Data Manufacturer Volex Hit by Cyberattack
- UK Air Traffic Control System Collapses, Causing Travel Chaos
- Police Seize iSpoof domains as UK’s largest bank call scam is disrupted
- UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
- UK Electoral Commission Admits Major Data Breach Spanning Over a Year